Http://www.cooltang.com/box/topic/character/program/nsfocus/051.htm
Mail station: Wuhan Baiyun Huang He station (Wed Jan 12 16:30:30 2000), letter in the station
Title: Use of objdump (redhat6.0 test)
This bastard has been lying on your host for a long time, but you just don't read it,
Maybe you don't want to watch it, but you don't have time to think about it.
It saves you time, faint
Overview:
Objdump is a bit like the tool for fast viewing.
A readable format allows you to learn more about binary files.
Possible additional information. Generally, you only want to use your own program.
This command is meaningless for running programmers.
Programmers who want to learn more about the system should master this tool,
At least you can write shellcode on your own, or look at other people's
The shellcode in the given exploit is something.
Directory:
★Preparations before testing
★The man manual of the RedHat 6.0 objdump command
★Example of an objdump application (to be added)
★Related commands
★Preparations before testing
CP/usr/lib/Libpcap. A/home/SCZ/src
Nm-s Libpcap. A | more
Ar TV Libpcap.
Ar XV Libpcap. A inet. o
Nm-s inet. o
View the display of nm-S by man nm.
★The man manual of the RedHat 6.0 objdump command
Objdump-display binary file information
Objdump
[-A] [-B bfdname |
-- Target = bfdname] [-C] [-- debugging]
[-D] [-D]
[-- Disassemble-Zeroes]
[-EB |-El | -- endian = {big | little}] [-F]
[-H] [-I | -- info]
[-J section | -- Section = section]
[-L] [-M machine] [-- prefix-addresses]
[-R] [-R]
[-S | -- full-Contents] [-S | -- source]
[-- [No-] Show-raw-insn] [-- stabs] [-T]
[-T] [-x]
[-- Start-address = address] [-- stop-address = address]
[-- Adjust-VMA = offset] [-- version] [-- help]
Objfile...
-Archive-headers
-A: displays the member information of the archive, which is similar to that of ar TV.
Objdump-A Libpcap.
Comparison with the ar-TV Libpcap. A display result
Obviously, this option is meaningless.
-Adjust-VMA = offset
When dumping information, first add offset to all
The section addresses. This is useful if the sec-
Tion addresses do not correspond to the symbol
Table, which can happen when putting sections
Particle ses SSEs when using a format which can
Not Represent section addresses, such as A. Out.
-B bfdname
-Target = bfdname
Specify the target format. This is not necessary. objdump can automatically recognize many formats,
For example: objdump-B oasys-M VAX-H Fu. o
Displays the summary of the Fu. O header, explicitly indicating that the file is oasys In the VAX system.
The target file generated by the compiler. Objdump-I will show what can be specified here
Target code format list
-Demangle
-C decodes the underlying symbolic names into user-level names, except for removing all prefixes
In addition to the underline, the C ++ function name is displayed in an understandable way.
-Debugging
Displays debugging information. Attempt to parse the debugging information stored in the file and use the C Language
. Only some types of debugging information are supported.
-Disassemble
-D. disassemble the sections with the instruction machine code.
-Disassemble-all
-D is similar to-D, but disassembles all sections.
-Prefix-Addresses
The complete address of each line is displayed during disassembly. This is an old disassembly format.
The display effect is not ideal, but some of them may be used for comparison.
-Disassemble-Zeroes
Generally, the zero part of the large part will be omitted in the disassembly output. This option will make the zero part be decompiled.
-EB
-El
-Endian = {big | little}
This option will affect the decompiling command.
Little-Endian is what we often say when we were playing assembly under DOS,
This is the case for x86.
-File-headers
-F displays the overall header summary of each object in the objfile.
-Section-headers
-Headers
-H: displays the header summary of each section in the target file.
-Brief help information.
-Info
-I displays the list of architectures and target formats available for-B or-m options.
-Section = Name
-J name only displays the information of the specified section.
-Line-Numbers
-L mark the target code with the file name and line number, and only use it with-D,-D, or-R.
The difference between using-LD and using-D is not great. It is useful in source code-level debugging and requires
Debugging and compilation options such as-G are used during compilation.
-Architecture = Machine
-M Machine
The architecture used to specify the target file for disassembly.
This option is useful for architecture information (such as S-records. You can use the-I option.
List the architectures that can be specified here
-Reloc
-R displays the relocation entry of the file. If it is used with-D or-D, the relocation part is reversed.
The edited format is displayed.
-Dynamic-reloc
-R: displays the dynamic relocation entry of a file, which is only meaningful to the dynamic target file, for example, some
Shared library.
-Full-Contents
-S: displays the complete content of the specified section.
Objdump-Section =. Text-s inet. o | more
-Source
-S decomassembles the source code as much as possible, especially when the-G debugging parameter is specified during compilation,
The effect is obvious. The-D parameter is hidden.
-Show-raw-insn
During disassembly, the machine code corresponding to each assembly instruction is displayed, unless
-Prefix-addresses, which is the default option.
-No-show-raw-insn
During disassembly, the machine code of the Assembly command is not displayed. This is the specified-Prefix-Addresses
Option.
-Stabs
Display the contents of the. Stab,. Stab. index, and
. Stab. excl sections from an elf file. This is only
Useful on systems (such as Solaris 2.0) in which
. Stab debugging symbol-table entries are carried in
An elf section. In most other file formats, debug-
Ging symbol-table entries are interleaved
Linkage symbols, and are visible in the-Syms output.
-Start-address = address
Data is displayed from the specified address. This option affects the output of the-D,-R, and-s options.
-Stop-address = address
Displays data until the specified address. This option affects the output of the-D,-R, and-s options.
-Syms
-T indicates the entry to the symbol table of the file. Similar to the information provided by nm-S
-Dynamic-Syms
-T displays the file's dynamic symbol table entry, which is only meaningful to the dynamic target file, for example, some
Shared library. The information displayed is similar to the information displayed by nm-d |-dynamic.
-Version Version Information
Objdump-version
-All-headers
-X displays all available header information, including the symbol table and relocation entry. -X is equivalent
-A-f-h-r-t is specified at the same time.
Objdump-x inet. o
See nm (1)
★Example of an objdump application (to be added)
/*
G ++-g-wstrict-prototypes-wall-wunused-O objtest. c
*/
# Include
# Include
Int main (INT argc, char * argv [])
{
Execl ("/bin/sh", "/bin/sh", "-I", 0 );
Return 0;
}
G ++-g-wstrict-prototypes-wall-wunused-O objtest. c
Objdump-J. Text-Sl objtest | more
/Main (Search)
08048750:
Main ():
/Home/SCZ/src/objtest. C: 7
*/
# Include
# Include
Int main (INT argc, char * argv [])
{
8048750: 55 pushl % EBP
8048751: 89 E5 movl % ESP, % EBP
/Home/SCZ/src/objtest. C: 8
Execl ("/bin/sh", "/bin/sh", "-I", 0 );
8048753: 6a 00 pushl $0 × 0
8048755: 68 D0 87 04 08 pushl $0x801_d0
804875a: 68 D3 87 04 08 pushl $0x80108d3
804875f: 68 D3 87 04 08 pushl $0x80108d3
8048764: E8 dB Fe FF call 8048644 <_ init + 0 × 40>
8048769: 83 C4 10 addl $0 × 10, % ESP
/Home/SCZ/src/objtest. C: 9
Return 0;
80100006c: 31 C0 xorl % eax, % eax
803666e: EB 04 JMP 8048774
8048770: 31 C0 xorl % eax, % eax
8048772: EB 00 JMP 8048774
/Home/SCZ/src/objtest. C: 10
}
8048774: C9 leave
8048775: C3 RET
8048776: 90 NOP
If it is not clear enough, you can use the following command to help:
Objdump-J. Text-Sl objtest-Prefix-addresses | more
Objdump-J. Text-DL objtest | more
Remove the debug compilation option and re-compile
G ++-O3-O objtest. c
Objdump-J. Text-s objtest | more
08048778:
Main ():
8048778: 55 pushl % EBP
8048779: 89 E5 movl % ESP, % EBP
804877b: 6a 00 pushl $0 × 0
804877d: 68 F0 87 04 08 pushl $0x80108f0
8048782: 68 F3 87 04 08 pushl $0x80108f3
8048787: 68 F3 87 04 08 pushl $0x80108f3
804878c: E8 dB Fe FF call 804866c <_ init + 0 × 40>
8048791: 31 C0 xorl % eax, % eax
8048793: C9 leave
8048794: C3 RET
8048795: 90 NOP
Compared with the binary code after-G compilation, there are many differences.
For how to write shellcode and how to understand the shellcode given by others, please refer to the central China site
"How to write your own shellcode" in the essence of the system security Edition"
★Related commands
Man objcopy
Man nm
Man GDB | DBX | SDB
The Chinese User Manual of GDB is available in BBS vertices of major universities. Check it for yourself. If you
To learn how to use this tool.